Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

7 hours from announcement of the bug to you probably being compromised. Dang, "Internet Time" sure is fast.

Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.

No evidence? I would like to see what some of these attacks look like from the operating system audit trails or the database audit trails.

What is this bug? According to Drupal's security advisory, it is in security code to prevent SQL Injection attacks. Sad irony. :(